Bug 475188

The title doesn't seem to relate to the 'Additional info' log extract.

(In reply to comment #1)
> The title doesn't seem to relate to the 'Additional info' log extract.

doesn't seem but I know it is :)

This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".

This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".

Remove squirrelmail-1.4.8-IE-Japanese-download-ugly-hack.patch patch from RHEL src rpms or fix it. Patch is broken. SendDownloadHeaders() rawurlencode changes fix only part of one issue. Other changes are not justified and produce PHP errors original bug reporter is complaining about.

---
+    if($squirrelmail_language != 'ja_JP')
+        if (isset($languages[$squirrelmail_language]['XTRA_CODE']) &&
---
Check (and whole block) is useless. You exclude Japanese and then test for XTRA_CODE. Only Japanese translation has usable XTRA_CODE functions. Korean XTRA_CODE is broken.

You broke working code with your patch. Fedora packages removed that patch two years ago.

Hi Tomas,

thanks for the info. Unfortunately I can't touch that package without PM approval (which was denied for rhel 5.5 in comment #4).

Also every patch in rhel is added only to fix some issue and for removing that patch I have to find out bz number it was trying to fix and check if it works without that patch or provide another patch. It seems this patch should fix #195639, but I'll have to look, because I didn't add this patch and I was not maintaining this package in time when it was added.

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Similar messages exist for other variables as well:

[Fri Dec 03 16:57:19 2010] [error] [client ELIDED] PHP Notice:  Undefined variable: charset in /usr/share/squirrelmail/functions/mime.php on line 317, referer: http://ELIDED/src/right_main.php?mailbox=INBOX&startMessage=1


[Fri Dec 03 16:57:19 2010] [error] [client ELIDED] PHP Notice:  Undefined variable: charset_converted in /usr/share/squirrelmail/functions/mime.php on line 316, referer: http://ELIDED/src/right_main.php?mailbox=INBOX&startMessage=1


[Fri Dec 03 16:52:23 2010] [error] [client ELIDED] PHP Notice:  Undefined variable: squirrelmail_language in /usr/share/squirrelmail/functions/mime.php on line 607, referer: http://ELIDED/src/right_main.php

This is perhaps more troubling, because a 'Undefined variable' which is being used, is an UNVALIDATED variable, out of scope or otherwise.  Unvalidated variables have security overtones in PHP code

http://www.php.net/manual/en/security.variables.php

CVE-2010-2813 was a character set related matter
CVE-2009-1581 was problems in functions/mime.php

I've not yet traced the code paths out but I note in a log file review that I am receiving probing attacks on that code from other continents (no such remote users existing here, or course)

Perhaps this needs to be re-examined with an eye to security matters?

-- Russ herrold

CVE-2010-2813 is about login.php and IMAP functions. And SquirrelMail missed IMAP-I18N specification which says that LOGIN does not do 8bit passwords.

CVE-2009-1581 is about increasing sanitizing in html filtering code.

These undefined charset and language errors are about undefined local variables. Warnings are displayed but they are not exploitable. SquirrelMail 1.4.8+ and 1.5.1+ core code does not have security issues with register_globals=on. It is highly unlikely that such issues will pop up in any SquirrelMail release between 1.4.8 and 1.4.21. You have to remove rg sanitizing in order to make SquirrelMail vulnerable to variables injected through register_globals.

The only reason for fixing it is to admit that packager broke the code without testing it properly.

same issues on rhel 5.6, please retarget bug for 5.6


[Tue Apr 26 11:25:47 2011] [error] [client 192.168.180.1] PHP Notice:  Undefined variable: charset_converted in /usr/share/squirrelmail/functions/mime.php on line 316, referer: https://gittest.local/webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX
[Tue Apr 26 11:25:47 2011] [error] [client 192.168.180.1] PHP Notice:  Undefined variable: charset in /usr/share/squirrelmail/functions/mime.php on line 317, referer: https://gittest.local/webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX
[Tue Apr 26 11:25:47 2011] [error] [client 192.168.180.1] PHP Notice:  Undefined variable: charset in /usr/share/squirrelmail/functions/mime.php on line 317, referer: https://gittest.local/webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX
[Tue Apr 26 11:25:47 2011] [error] [client 192.168.180.1] PHP Notice:  Undefined variable: charset in /usr/share/squirrelmail/functions/mime.php on line 317, referer: https://gittest.local/webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX

(In reply to comment #11)
> same issues on rhel 5.6, please retarget bug for 5.6

You should ask RH why they continue to use 1.4.8 and don't upgrade or don't incorporate any security patches from 2010.

(In reply to comment #12)
> (In reply to comment #11)
> > same issues on rhel 5.6, please retarget bug for 5.6

Changing version from "5.5" to "5.6" has no effect. We know that this bug is valid for 5.6. We'd close this bug otherwise

> You should ask RH why they continue to use 1.4.8 and don't upgrade 

In Fedora land we upgrade squirrelmail (or any other package) regularly, but RHEL is different kind of product. In ideal state we'd never ever upgrade any package, but only cherry pick patches. (it's not that simple, but there is strict policy about this). Package needs to get approved by product management which calculates all pros/cons/regression-risks/work-required(Eng,QA,Rel,...) and I can't affect it too much. 

Of course I'd like to fix them, but I'm just one piece of big puzzle (process).

(In reply to comment #10)
> The only reason for fixing it is to admit that packager broke the 
> code without testing it properly.

yes, bug happens. I don't know how it was tested or why tests did not catch it, because I became squirrelmail maintainer some time later, but I'm pretty sure it did not skip testing

> or don't incorporate any security patches from 2010.

afaik there should be no (except "low" - which is decided by security response team) security patches missing (those that have CVE id assigned). All of them should be in bugzilla with comments from security team. If you think some is really important but marked as "low", you can always comment on that bug.

well with many users using webmail via squirrelmail, my logfiles are filled with this error like crazy.

other (important) messages are drowned out with this rather annoying and UNNEEDED message.

so yes, I consider this a security issue since it makes me miss the important messages

(In reply to comment #14)
> so yes, I consider this a security issue since it makes me miss the important
> messages

unfortunately, this is far from what is seen as a security bug

You can configure syslog to grep out unneeded messages.

Btw, bugzilla is bug tracking system, nothing more. For RHEL support, people should use https://access.redhat.com/support/ and file proper case. Having filed at least one case for bug bumps bug's priority, so it gets fixed sooner.

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0126.html